Selling data to the huge companies that collect information on shoppers, voters, and anyone with a pulse is a lucrative business. Those companies have so much information in their data stores that even relatively anonymous data can be used to identify particular individuals.

How shopper tracking works Sen. Franken had better luck getting information from Euclid than I did from YFind. His office sent a letter to Euclid in March, requesting information on how it collects and protects shoppers' data. The company answered (you can see it here), making a number of promises. Here are four of the main points, some pretty basic, but it is worth noting that until Franken demanded answers these were not in place.

Requiring all participating retailers to post signage telling consumers how to opt out of tracking

Requiring all retailers to undergo a comprehensive education program about the opt-out process

Strengthening the company's privacy policy to prohibit the sale, rental, or disclosure of any of Euclid's data to data brokers

Creating a formal policy outlining the company's requirements for a warrant or court order to comply with any request for data

Even these concessions have problematic aspects. Opting out is a policy that essentially puts the onus on shoppers to protect their privacy, says Maass, the EFF spokesman. How many shoppers are likely to see and understand a sign warning them they're being tracked? If they need to opt in, their participation really would be voluntary.

What's more, Euclid sets great store on its policy of "hashing" the Mac data. Internet-connected devices regularly send out signals ("pings") that contain their MAC address to find Wi-Fi hotspots. Euclid's sensors recognize the broadcasted ping, scramble the MAC address into what is known as a hash, discard the MAC address data, and send the hashed value to Euclid's servers, the company explains.

However, it's not at all clear that the hashing technique works reliably. In a post last year, Ed Felten, who blogs for the Federal Trade Commission, said this: "The casual assumption that hashing is sufficient to anonymize data is risky at best, and usually wrong." Felten illustrated how relatively easy it would be for a skilled hacker to unscramble hashed Social Security numbers. If a MAC address is known, data from Euclid's database can be matched to that person's phone, Euclid said in its answer to Franken's queries.

A friend of mine points out that shoppers are already tracked by in-store cameras. That's certainly true, but until facial recognition gets a lot better, those photos cannot be randomly matched. In any case, tracking via a cellphone is yet another invasion of privacy in our public spaces. Ideally, stores that use it should ask their customers if they care to opt in. I doubt that will happen, but at the very least, stores should warn customers and give them a chance to opt out -- or turn off their smartphones.

San Francisco journalist Bill Snyder covers business and technology. He writes regularly for CIO.com, Stanford's Graduate School of Business, and the Haas School of Business at the University of California at Berkeley.